You should do the csr from a server so that you can export the private key.
Then sign it, import it to the server, then export it with the private key.
Then import it on the controllers.
Easiest way is to use a Windows box with IIS or a Linux box with openssl.